blogTILLuDROP

Unfortunately I am not yet able to use my gpg key to create working signed rpms. But during debugging this I had to sign lots of test rpms nevertheless and enter a new password every time. Luckily during the debugging it became clear how to make rpm use the gpg-agent instead of passing the password via a file descriptor to gpg.

Thanks go to Jeff Johnson for motivating me to do this and telling me, that it is ok to modify %__gpg_sign_cmd. And also to Panu Matilainen for backing this up. I normally have a strong aversion against modifying macros that begin with two underlines, but with this encouragement it is not that bad. ;-)

That’s enough talk, here comes the code:

I added this to my ~/.rpmmacros file:

%__gpg_check_password_cmd /bin/true
%__gpg_sign_cmd %{__gpg} gpg --batch --no-verbose --no-armor --use-agent --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}

Now rpm will still ask for a password, but one can enter anything. If the gpg-agent needs a password to unlock a key, it will just fire up the pinentry command, which will then allow three password entry attempts by default. If entering an empty password for rpm is still too annyoing for you, Aaron Hawley described how to use expect to provide a password to rpm.

Tags: fedora, gpg, rpm

This entry was posted on Friday, December 12th, 2008 at 16:28 +01:00 and is filed under software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.